VERMIN: Quasar RAT and Custom Malware Used In Ukraine

Summary
Palo Alto Networks Unit 42 has discovered a new malware family written using the Microsoft .NET Framework which the authors call “VERMIN”; an ironic term for a RAT (Remote Access Tool). Cursory investigation into the malware showed the attackers not only had flair for malware naming, but also for choosing interesting targets for their malware: nearly all the targeting we were able to uncover related to activity in Ukraine.
Pivoting further on the initial samples we discovered, and their infrastructure, revealed a modestly sized campaign going back to late 2015 using both Quasar RAT and VERMIN.
This blog shows the links between the activity observed, a walkthrough of the analysis of the VERMIN malware, and IOCs for all activity discovered.
It all began with a tweet
Our initial interest was piqued through a tweet from a fellow researcher who had identified some malware with an interesting theme relating to the Ukrainian Ministry of Defense as a lure.

The sample was an SFX exe which displayed a decoy document to users before continuing to execute the malware; the hash of the file is given below.

SHA256

31a1419d9121f55859ecf2d01f07da38bd37bb11d0ed9544a35d5d69472c358e

The malware was notable for its rare use of HTTP encapsulated SOAP, an XML based protocol used for exchanging structured information, for command and control (C2), which is something not often seen in malware samples. Using AutoFocus, we were quickly able to find similar samples, by pivoting on the artifacts the malware created during a sandbox run, resulting in 7 other samples as shown in Figure 2.

Using the Maltego for AutoFocus transforms, we were then able to take the newly discovered samples and look at the C2 infrastructure in an attempt to see if we could link the samples together and in turn see if these C2’s were contacted by malware. We quickly built up a picture of a campaign spanning just over 2 years with a modest C2 infrastructure:

Figure 3 – Further analysis using AutoFocus & other data sources allows us to link up the activity discovered so far.

The malware samples we discovered fell largely into two buckets: Quasar Rat and VERMIN. Quasar RAT is an open-source malware family which has been used in several other attack campaigns including criminal and espionage motivated attacks. But a reasonable number of the samples were the new malware family, VERMIN. Looking at the samples in our cluster we could see the themes of the dropper files were similar to our first sample. Notably, most of the other files we discovered did not come bundled with a decoy document and instead were simply the malware and dropper compiled with icons matching popular document viewing tools, such as Microsoft Word. Names of some of the other dropper binaries observed are given below, with the original Ukrainian on the left and the translated English (via Google) on the right:

Original Name (Ukrainian)

Translated Name (if applicable)

Ваш_ сертиф_кати для отримання безоплатно_ вторинно_ допомоги.exe

Your certificate for free_receive help.exe

доповідь2.exe

report2.exe

доповідь забезпечення паливом 08.06.17.exe

fuel supply report 08.06.17.exe

lg_svet_smeta2016-2017cod.exe.

N/A

lugansk_2273_21.04.2017.exe

N/A

Отчет-районы_2кв-л-2016.exe

Report-areas_2kv-l-2016.exe

Given the interesting targeting themes and the discovery of a new malware family, we decided to take a peek at what “VERMIN” was capable of and document it here.
Dissecting VERMIN
For this walkthrough, we’ll be going through the analysis of the following sample:

SHA256

98073a58101dda103ea03bbd4b3554491d227f52ec01c245c3782e63c0fdbc07

Compile Timestamp

2017-07-04 12:46:43 UTC

Analyzing the malware dynamically quickly gave us a name for the malware, based on the PDB string present in the memory of the sample:Z:\Projects\Vermin\TaskScheduler\obj\Release\Licenser.pdb
As is the case with many of the samples from the threat actors behind VERMIN, our sample is packed initially with the popular .NET obfuscation tool ConfuserEx. Using a combination of tools, we were able to unpack and deobfuscate the malware.
Following initial execution, the malware first checks if the installed input language in the system is equal to any of the following:

ru – Russian

uk – Ukrainian

ru-ru – Russian

uk-ua – Ukrainian

If none of the languages above is found the malware calls “Application.Exit()”, however despite its name, this API call doesn’t actually successfully terminate the application, and instead the malware will continue to run. It’s likely the author intended to terminate the application, in which case a call like “System.Environment.Exit()” would have been a better choice. The fact that this functionality does not work as intended suggests that if author tested the malware before deployment, they were likely to be doing so on systems where the language matches the list above, since otherwise they would notice that the function is not working as expected.
After passing the installed language check the malware proceeds to decrypt an embedded resource using the following logic:

It retrieves the final four bytes of the encrypted resource.

These four bytes are a CRC32 sum, and the malware then proceeds to brute force what 6-byte values will give this CRC32 sum.

Once it finds this array of 6 bytes it performs an MD5 hash sum on the bytes, this value is used as the key.

The first 16bytes of the encrypted resource are then used as the IV for decryption

Finally, using AES it decrypts the embedded resource.

A script mirroring this routine can be found in appendix C.
After decrypting the embedded resource, the malware passes several hardcoded arguments to the newly decrypted binary and performs a simple setup routine before continuing execution. The embedded resource contains all the main code for communications and functionality the RAT contains.
First the malware attempts to decrypt all of the strings passed as parameters. If no arguments were supplied the malware attempts to read a configuration file from a pre-defined location expecting it to be base64-encoded and encrypted with 3-DES using a hardcoded key “KJGJH&^$f564jHFZ”:C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\settings.dat
If arguments were supplied, they are saved and encrypted to the same location as above.
Parameters supplied are given below. Note that these are the actual variable names used by the malware author:

serverIpList

mypath

keyloggerPath

mutex

username

password

keyloggerTaskName

myTaskName

myProcessName

keyLoggerProcessName

myTaskDecription

myTaskAuthor

keyLoggerTaskDecription

keyLoggerTaskAuthor

The decrypted resource is set to be run as a scheduled task every 30 minutes, indefinitely.
After this, the malware is ready to start operations, and does so by collecting various information about the infected machine, examples of collected information includes but is not limited to:

Machine name

Username

OS name via WMI query

Architecture: x64 vs x86 (64 vs. 32 bit)

Local IP Address

Checks Anti-Virus installed via WMI query

If the Anti-Virus (AV) query determines any AV is installed the malware does not install the keylogger. The keylogger is embedded as a resource named ‘AdobePrintFr’. This binary is only packed with Confuser-Ex and is not further obfuscated.
The malware then sends its initial beacon using a SOAP envelope to establish a secure connection. The author uses the WSHttpBinding() API – which allows the author to use WS-Addressing and purposely sets the WSMessageEncoding.Mtom to encode the SOAP messages. The author also sets up for using ‘Username’ authentication for communicating with its C2, presumably allowing the author easier control over the various infected hosts. A defanged exemplar request/response is given below:

VERMIN collects all keystrokes and clipboard data and encrypts the data before storing it in the following folder:%appdata%\Microsoft\Proof\Settings.{ED7BA470-8E54-465E-825C-99712043E01C}\Profiles\.
Each file is saved with the following format: “{0:dd-MM-yyyy}.txt”. The data is encrypted using the same method and 3-DES key, used to encrypt the configuration file.
Vermin supports the following commands:

ArchiveAndSplit

CancelDownloadFile

CancelUploadFile

CheckIfProcessIsRunning

CheckIfTaskIsRunning

CreateFolder

DeleteFiles

DeleteFolder

DownloadFile

GetMonitors

GetProcesses

KillProcess

ReadDirectory

RenameFile

RenameFolder

RunKeyLogger

SetMicVolume

ShellExec

StartAudioCapture

StartCaptureScreen

StopAudioCapture

StopCaptureScreen

UpdateBot

UploadFile

For most of these commands, the malware requires “hands-on-keyboard” style one-to-one interactions.
Often remote access tools written in .NET borrow and steal code from other tools due to the plethora of code available through open source; however, it appears that whilst some small segments of code may have been lifted from other tools, this RAT is not a fork of a well-known malware family: it’s mostly original code.
We have linked all the samples we have been able to identify to the same cluster of activity: this strongly suggests the VERMIN malware is used exclusively by this threat actor and this threat actor alone.

Concluding thoughts
We were unable to definitively determine the aims of the attackers or the data stolen. However, given the limited number of samples, the targeting themes observed, and the “hands-on-keyboard” requirement for most of the malwares’ operations (except for keylogging), it seems likely that the malware is used in targeted attacks in Ukraine.
Ukraine remains a ripe target for attacks, even gaining its own dedicated Wikipedia page for attacks observed in 2017. In addition to the high-profile attacks such as the Petya/NotPetya and BadRabbit, which have been widely reported, there are likely many smaller campaigns like the one described in this blog aimed to steal data to gain an information advantage for the attackers’ sponsors.
Palo Alto Networks defends our customers against the samples discussed in this blog in the following ways:

Wildfire identifies all samples mentioned in this article as malicious.

Traps identifies all samples mentioned in this article as malicious.

C2 domains used in this campaign are blocked via Threat Prevention.

AutoFocus customers can track samples related to this blog via the following tags: